the essential guide · manages workflows, pulling together all automated flows into one. in...

The Essential Guide to Risk-Based Vulnerability Orchestration / A ZeroNorth Ebook

THE ESSENTIAL GUIDETO RISK-BASED VULNERABILITY ORCHESTRATION

ACROSS THE SOFTWARE LIFECYCLE

A ZeroNorth eBook

Stop Treading Water and Simplify the Managementand Remediation of Your Software Vulnerabilities


Table of ContentsChapter 1: Definitions

Chapter 2: Problems with Current Approaches

Chapter 3: Automation vs. Orchestration

Chapter 4: Why It Matters

Chapter 5: The Business Benefits

Chapter 6: Getting Started with Orchestration

• • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • 1

• • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • 3

• • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • 5

• • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • 7

• • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • 9

• • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • 11

© 2019 ZeroNorth, Inc.


Today, software sits at the heart of everything a company must do to stay current and competitive in their quest for digital transformation. This notion was first identified by entrepreneur, investor and software engineer, Marc Andreessen, whose famous article in The Wall Street Journal, emphasized the need for “every company to become a software company,” an idea that is now a widely-accepted fact. As companies race to put out better products and services at a faster rate, they also have to increase the velocity by which they bring software to market. And because organizations are increasingly reliant on rapid application development cycles to stay ahead of the competition, security is continually challenged to keep pace with these new demands.

Businesses are now faced with finding more effective ways to integrate security tools and practices into their existing digital environments without impacting the speed of business. A move towards cloud technology and microservices, over monolithic applications delivered via waterfall development processes, only confuses the

© 2019 ZeroNorth, Inc. 1

Chapter 1: Defining Risk-Based Orchestration

https://www.crunchbase.com/person/marc-andreessen



problem because it creates layers of unnecessary complexity—all of which must be properly managed. This type of work demands a precious commodity—namely, people—to manage the systems and infrastructure that underpin an organization. As a result, companies have turned to automation to help them keep up with areas like increasingly frequent, almost continuous, software releases, escalating data breaches and changing risk vectors. Automation has also helped in certain areas by speeding up delivery and executing important, but predictable work more reliably.

However, human intervention is still necessary to manage workflows and draw insight across the entire organization. Take vulnerability management solutions for example—static code, as well as container and infrastructure scans, may be automated, which allows each one to execute on a predefined schedule while also targeting a consistent set of assets. This automation is certainly valuable, yet people are still required to manage each disparate tool and to assess how a vulnerability discovered in one area may bleed into others. Security experts are currently spending more time addressing alerts from disparate tools than on actually correlating and addressing their overall threat matrix. And the problem is only expected to get worse as demand for applications grows.

Automation needs to be part of a cohesive ecosystem known as risk-based vulnerability orchestration, which enables the consistent implementation and management of workflows across individual vulnerability discovery tools throughout the entire software development lifecycle (SDLC). This type of automated orchestration correlates data to prioritize and speed up remediation efforts. Risk-based vulnerability orchestration goes well beyond the niche automation capabilities of threat and vulnerability management (TVM), application vulnerability management (AVM) and application vulnerability correlation (AVC)—as well as the most recent introduction of application security orchestration and correlation (ASOC) market—to fully integrate security into the software development process across the infrastructure, without impeding the work of developers. It also allows companies to gain a clear and actionable view of risk to their business while saving the time and money associated with managing disparate scanning tools.



Picture a symphony in action. Every instrument is tasked with perfecting its specific section of the musical piece. While each instrument sounds pleasing on its own, the composer’s vision doesn’t fully emerge until all of the musical sections come together in harmony. Automation systems are the same. They can perfect individual tasks, but when they are arranged, coordinated and managed through a comprehensive orchestration process, much like a musical composition, they become far more effective—and harmonious.

Virtually every business in the world relies on software to maintain a competitive edge. At the same time, application vulnerabilities are escalating, and data breaches—how to prevent, plan and recover from them—are common C-suite conversations. The statistics are overwhelming. Research suggests 67 percent of web applications have critical vulnerabilities, 12,553 of which were found between 2016 and 2019, and 91 percent of tested web applications store and process personal data. For leading enterprise software vendors, the number of vulnerabilities per product sits between 4 and 54. These statistics suggest current approaches to security management are not working and will continue in that vein as the pace of business accelerates.

Chapter 2: Current Approaches Are Not Working

Applications today are simply not designed with security in mind. Scanning for vulnerabilities will always yield findings; however, the growing demand for applications coupled with ongoing cloud migra-tion means the attack surface is greater than ever—and today’s al-ready-overtaxed security experts can hardly keep up.

https://www.ptsecurity.com/ww-en/analytics/web-application-vulnerabilities-statistics-2019/


https://www.cvedetails.com/cvss-score-charts.php?fromform=1&vendor_id=&product_id=&startdate=2010-01-01&enddate=2011-12-31


https://www.cvedetails.com/top-50-vendors.php?year=0

https://www.cvedetails.com/top-50-vendors.php?year=0


Today’s security experts have a number of tools at their disposal, all of which possess their own unique functions and processes. Multiple scanning tools are used at various layers in the SDLC, and all of these tools have different ways of rating vulnerabilities. Developers often receive multiple tickets to fix the same existing vulnerability reported by these disparate tools, which is an obvious waste of time and resources. There is no correlation to simplify this process, and trying to normalize it is currently a challenge that will only grow as new applications are added. In addition, testing is not continuous, which means developers may only identify risk at certain points in time.

A shortage in cybersecurity skills only exacerbates the problem. According to a non-profit IT security organization (ISC)², there are currently 2.93 million cybersecurity positions open and unfilled around the world, and a recent survey by the Information Systems Security Association (ISSA) and independent industry analyst firm, Enterprise Strategy Group (ESG), illustrates how this skills shortage is worsening for the third year in a row, impacting some 74 percent of organizations. The most acute skills shortages were seen in cloud security (33 percent), application security (32 percent) and security analysis and investigations (30 percent). Although nearly all (93 percent) respondents agreed they must maintain their skills if they hope to keep their organization secure, 66 percent also said it’s hard to keep up with evolving cybersecurity skills given the regular demands of the job. And another 47 percent of professionals cited an inability to learn about security technologies in the most effective way.

What do all these statistics mean? If conventional processes don’t change, they translate into overworked staff, high labor costs and no economies of scale. Even though engineers are spending considerable time learning how to use each new tool, security teams still have limited visibility into overall risk because they cannot correlate all their data. A better approach to application and infrastructure vulnerability management demands a shift in perspective. Rather than building entirely new tools, experts suggest assuming a more holistic view of our existing security and infrastructure systems to manage risk at the pace of modern business.


https://www.isc2.org/-/media/ISC2/Research/2018-ISC2-Cybersecurity-Workforce-Study.ashx?la=en&hash=4E09681D0FB51698D9BA6BF13EEABFA48BD17DB0%255Ch

https://www.isc2.org/-/media/ISC2/Research/2018-ISC2-Cybersecurity-Workforce-Study.ashx?la=en&hash=4E09681D0FB51698D9BA6BF13EEABFA48BD17DB0%255Ch


Chapter 3: Automation Vs. Orchestration


People often use the terms automation and orchestration synonymously, but in truth, they are different. Automation refers to the completion of a single task through proper classification and organization of that task, all without any human assistance. Orchestration, on the other hand, relates to the simultaneous completion of several tasks by classifying and organizing processes and workflows. In this way, automation offers smaller, more targeted functions, while orchestration facilitates the larger configuration, coordination and management of systems and software.

Think back to the symphony analogy—each instrument is capable of perfecting its own section of the musical piece, but harmony is only achieved through some sort of coordinated direction. Even though the orchestra relies on the basic building blocks of each instrument to create the larger harmony, it still cannot exist as separate parts. Much like a symphony, automation and orchestration generally work best when paired together, with orchestration serving the role of the conductor, pulling all of the disparate – but automated – processes together.

The problem is not data. Security practitioners have plenty of information. The problem is how to encapsu-late that information and gain insight into the overall risk of a business. Right now, the data we receive is siloed, with no holistic view of risk. More sensible outputs translate into answers on the real exposure we face.

https://www.istockphoto.com/photo/close-up-programmer-man-hand-typing-on-keyboard-laptop-for-register-data-system-or-gm1057890202-282713831



Today, there are multiple vendors offering both automation and orchestration solutions. Scanning tools exist to identify bugs, flaws and vulnerabilities across applications and infrastructure, covering everything from static code and composition analysis to container, infrastructure and dynamic scans to pen testing and more. In fact, it’s nearly impossible for security teams to keep up with the number of alerts they receive every day, and automation helps by replacing the manual work of system administrators and making responses to scans faster, cheaper and more precise. But automation systems cannot reach their peak potential alone. A human being is still required to manage the tool, synthesize the data and then align that data with results coming from other scanning tools. There is still a scalability problem. However, when these automation tools are arranged, coordinated and managed to function in unison with one another through orchestration, humans and their many systems can work in harmony while also lowering costs and improving productivity through the standardization of products and processes.

In an ideal customer environment, automation and orchestration each play a unique and invaluable role. While automation is focused on technical tasks, orchestration manages workflows, pulling together all automated flows into one. In addition, orchestration enables customers to execute various scans through a single integrated platform, lessening the technical burden required to manage all of the scanning tools within a customers’ environment. Because the continuous flow of security updates must be delivered, deployed and integrated at the pace of discovery, orchestration play a key role in automation’s success. It also leverages technology to drive the consolidated execution, control and management of various automated tasks. In doing so, companies further reduce the human resource burden and deliver added value by correlating activities and insight gained through formerly separate workflows.



When it comes to cybersecurity in the business world, the relationship between applications and infrastructure has never been more critical. Organizations who find ways to effectively integrate new security tools into their digital environment stand to gain a sharper competitive edge and considerable peace of mind if they can implement effective cybersecurity practices throughout the software development lifecycle (SDLC) to defend against both vulnerabilities and risk.

That said, integrating security into the software lifecycle is not always easy, as it involves more than just data. Integrating security in this process means bridging cultural divides across development, QA, infrastructure, security and beyond. Because software is now so omnipresent, it needs to be continuously updated. Many organizations look to the cloud for the flexible infrastructure needed to support the rapid development and delivery of software via microservices. All of this means new lines of potentially flawed code are also being continuously deployed. And as we know, this situation creates an ideal opportunity for attackers.

Chapter 4: Why Does Orchestration Matter?


Further, security measures in business have traditionally been viewed as a barrier to velocity and innovation. A recent survey of IT decision makers confirms these points. When asked about their attitudes toward DevOps, 89 percent of executives said software development and IT security teams need to be in closer contact, and 77 percent said the same for developers, security and operations. Only one-third of respondents viewed DevOps as a shared responsibility between software development and IT operations, while over 78 percent felt improvements are necessary to drive the cultural change and ensure security is fully baked into the DevOps process. This sentiment has given rise to DevSecOps, a methodology developed to address these concerns and build the mindset that anyone involved in the SDLC process is also responsible for its security during development. Even though many experts agree on the basic concept of DevSecOps, or secure DevOps, questions around ownership and implementation remain an issue.

Embracing automation and orchestration is an effective strategy for removing these cultural barriers, allowing for the integration of security into software development as well as the discovery and remediation of critical code and application vulnerabilities before they are delivered to production. Automatic code analysis and vulnerability scans can be orchestrated across applications and infrastructure and automated based on simple policies and run continuously. In addition to the critical issues in need of remediation and reporting, this effort gives both security and development teams the same visibility into all aspects of the security tool chain.

When security teams “shift left,” they become part of the development process from the ground up. By shifting security left in the application development process—and by seamlessly integrating security “early and often” while providing holistic visibility to key constituents—security is no longer an obstacle to velocity, innovation and competitiveness. Instead, it’s an asset that allows any organization to readily address questions like, “How healthy and secure are we?” and “What are our risks?”

Through the orchestration of software and infrastructure security, companies can align the disparate (but automated) tools applied to discover and analyze vulnerabilities



across all stages of the SDLC. Disparate tools that manage static code, composition analysis and container, infrastructure and dynamic codes can all be aligned to reduce the time and money spent on managing these tools, while also helping to improve security and compliance. Assuming this type of approach to risk-based vulnerability orchestration management, of both applications and infrastructure, transforms manual and siloed security efforts into a coordinated, comprehensive and real-time discovery and remediation process—and this process is what allows security teams to reduce organizational risk more effectively.


Chapter 5: The Business Benefits

Individual organizations see and tolerate risk in intrinsically subjec-tive ways. To be secure, you must have visibility into anything with the ability to threaten the systems and data you value, so tasks can be prioritized based on real informa-tion. Risk-based vulnerability or-chestration across applications and infrastructure is what allows you to visualize your exposure in a sensible, comprehensive and focused way, which means formulating responses becomes more manageable.

As businesses embark upon various digital transformation initiatives, such as shifting toward DevOps or deploying microservices, the cost and complexity involved in software security grows significantly. By orchestrating application and infrastructure security, organizations gain a comprehensive and continuous view of risk, as well as an opportunity to reduce the expense associated with managing disparate vulnerability scanning technologies. This shift in thinking allows security to remain a key component in all digital transformation initiatives, including cloud migration.

Risk-based vulnerability orchestration throughout the entire software lifecycle—from code commit to build-outs to actual deployments—addresses some of the most significant questions organizations are asking today about their overall security posture.



Am I healthy?Today’s disjointed approach to identifying risk makes it impossible to identify the business assets in the greatest peril. Risk-based vulnerability orchestration provides organizations with comprehensive and continuous visibility of vulnerabilities and risk across all stages of the SDLC, while also staying aligned with critical business assets.

Am I compliant?Today, the fragmented process of identifying and addressing vulnerabilities leaves the door open to security and compliance gaps. Risk-based vulnerability orchestration addresses this weakness by providing a consolidated view of weakness and threats, achieved through correlating and normalizing scan results across the entire SDLC.

Am I managing my costs?Cyber professionals are in high demand, and many of today’s existing scanning tools are costly and challenging to onboard and maintain. A risk-based vulner-ability orchestration approach allows organizations to save the time and money required to evaluate, implement and manage scanning tools while increasing their collective value. And because this method integrates security into all stages of the SDLC, it saves resources, maintains continuous delivery of software and fosters secure productivity.

Am I productive?Companies continue to invest heavily in vulnerability scanning tools, yet the plethora of siloed data they receive means risk is often overlooked. Beyond that, the technical skills needed to manage these tools are significant. Risk-based vulnerability orches-tration across the entire software lifecycle allows you to create a significantly more productive cybersecurity program, from AppSec to SecOps.


This orchestrated approach goes beyond automation by enabling the consistent management of various scanning tools used to discover software bugs, flaws and vulnerabilities. It also moves organizations closer to truly secure DevOps by aligning security, operations and development teams around key risks and business priorities. When businesses have a holistic view of risk, they are able to offer data-driven answers to questions like, “How secure are we?” Further, the confidence that comes from knowing the software you deliver to market is secure and high-quality offers peace of mind and the opportunity to compete more aggressively in the industry.


By now, it should be obvious that developing, deploying and continuously updating vulnerability-free code at today’s speed of business is a daunting task, and as a result, companies are spending tons of money trying to tackle their security problems. But, as developers turn to open source components to complement custom code in an effort to move quickly, bugs, flaws and vulnerabilities will be missed. Market reporter, Cybersecurity Ventures, predicts the industry will spend more than $1 trillion on security between 2017-2021; however, a good chunk of this money is allocated for

Chapter 6: Getting Started with Orchestration

Today, all businesses face risk during their security journey, which means every organization can benefit from incrementally increasing their ability to prioritize vulnerabilities.

http://www.zeronorth.io/wp-content/uploads/Zerto-ZN-Case-Study.pdf

https://cybersecurityventures.com/cybersecurity-market-report/



tactical goods and services that solve only a small portion of the problem. Risk-based orchestration addresses this issue for organizations by eliminating fragmented views of vulnerabilities, while also providing a continuous and consolidated view of risk to critical business assets—whether on-premises, in the cloud or deployed as microservices.

Even if you’re not ready to fully embrace this kind of risk-based vulnerability orchestration across both applications and infrastructure, you can still follow these smart, cost-effective steps to mitigating risk:

1 “Shift left” by taking steps to embrace secure DevOps.Security must be baked into the software development process, and culturally, everyone in the organization needs to focus on ensuring this integration happens in a way that doesn’t hinder the fast roll out of new software. A DevOps model will allow to you to use your software in new ways—reusing what you have, building custom code and incorporating open source components. However, these changes can also create new risks. Make sure the scanning tools you have offer better visibility into all bugs and flaws across the entire SDLC.

2 Understand your environment.Take inventory of all your processes and schedules around code, application and scanning, as well as an inventory of skilled people, processes and systems. Establish a baseline of everything and everyone that is hitting your network.

3 Identify vulnerabilities at every stage of the development process, regularly and continuously.Individual discovery techniques will not catch all of the critical vulnerabilities living in a system, so it is essential to track software and infrastructure throughout their respected lifecycles.

https://www.zeronorth.io/partners/


4 Prioritize weaknesses by matching vulnerability intelligence to the priorities of your business.Many scanning tools report issues that will likely have no impact on security risks. Make sure the vulnerability tools you use scan for risk sensitivities that matter to YOUR organization and prioritize remediation based on those findings.

5 Create a process that facilitates the vulnerability management process.This step will ensure situational awareness takes place in real-time, meaning all factors related to risk, reporting and remediation are aligned.

In the end, organizations need to do more than simply secure code; they need a comprehensive and real-time view of any risk inherent to their software and infrastructure, across the cloud, as well as on-premise and hybrid environments. Relying on multiple point tools to address disparate parts of such a complex environment demands a broader solution to orchestration scanning and remediation—and risk-based vulnerability orchestration, from code commit to build to deployment, is that solution.



ZeroNorth is the industry’s first provider of risk-based vulnerability orchestration across applications and infrastructure. By orchestrating scanning tools throughout the entire software lifecycle, ZeroNorth provides a comprehensive and continuous view of risk and reduces costs associated with managing disparate technologies. ZeroNorth empowers customers to rapidly scale application and infrastructure security while integrating seamlessly into developer environments to simplify and verify remediation. For more information, follow ZeroNorth on Twitter (@ZeroNorthSec), LinkedIn or visit www.zeronorth.io

© 2019 ZeroNorth, Inc. ZeroNorth and the ZeroNorth logo are trademarks of ZeroNorth, Inc. All other brands and products are the marks of their respective holders.

https://twitter.com/ZeroNorthSec

https://www.linkedin.com/company/zeronorth/

http://www.zeronorth.io

the essential guide · manages workflows, pulling together all automated flows into one. in...

Documents